informa
News

Five Unsolved Mysteries of Security

Not every security problem gets a quick solution - can these mysteries ever be solved?

Ever wonder what happened to a once-hot security revelation that went from the radar screen to near-obscurity -- or to so much exposure that it became passé -- with no apparent resolution? What was really behind big blow-ups like the defunct Week of Oracle Database Bugs (That Never Was)?

Some security issues remain a mystery, even to the experts, either because they're too tough to fix right now (think cross-site scripting), or because we want to know what's really going on behind the scenes among the players involved.

Like any good mystery, the fun is in the process of trying to get to the bottom of whodunit, with all the twists and wrong turns along the way. So we've compiled a list of Five Unsolved Mysteries of Security that experts just can't seem to solve or let go.

So kick back and put on your best Nancy Drew, Hardy Boys, or CSI hat.

1. Where are the ISPs in the battle against botnets?

They are the front lines of the botnet battle, but where are the ISPs? ISPs traditionally haven't been the first lifeline you think of for tracing and killing these global networks of zombies that spew spam and malware around the Internet. (See Big, Fat Bot-Ache and Botnets Don Invisibility Cloaks.)

ISPs today just don’t have the resources in place to fight the good fight. And the financial incentive may not be there just yet, either, experts say. "I don't think the botnet problem is large enough in the U.S. to catch ISPs' attention here yet," says David Maynor, CTO of Errata Security. "It will have to start costing them a lot of money first." (See Errata Debuts Security Services.)

But there are some ISPs that are proactive and engaged in the battle. Earthlink, for instance, works with its users in a so-called "feedback loop system" where users click on a "this is spam" button, so that helps Earthlink update its filters. This approach now blocks anywhere from 20,000 to 35,000 new zombies each day, according to Mary Youngblood, senior product manager for antispam at Earthlink.

Youngblood researches botnets in part by tracking their IP addresses and watching for trends in address ranges in order to block the infected machines. Earthlink is also an active member of the Messaging Anti-Abuse Working Group (MAAWG), which includes Microsoft, Verizon, Cox Communications, Comcast, and Bellsouth, and recently added behavioral monitoring to help detect zero-day exploits.

"We have always been on the leading edge in finding new ways to fight spam," she says. "We will use every weapon in our arsenal to go after these bad guys: technology, public policy, and lawsuits. We're trying to hit them on all fronts."

Careful what you wish for, though, warns Dan Kaminsky, director of penetration testing for IOActive. For ISPs to be actively involved in the actual elimination of bots, they would need remote access to your desktop, he notes.

"And guess what: I don't want an ISP to have root on my box," he says. "Why should an ISP be in the position to monitor what software I'm running? Should they even know? But on the flip side, we are not winning the bot war, we’re losing it substantially, which may require a rethinking of networking in general and how we deal with botnets," he says. "Even if you gave Comcast or another ISP root on millions of machines so they could see if botnets are on them... Botnet authors could just hide from them."

ISPs should definitely be actively quashing command and control botnet nodes that run on their networks, though, he says.

Today, they mostly look for traffic anomalies and then throttle the offending network links, says Rob Enderle, principal consultant with the Enderle Group. "But it would be nice if they told you there was a problem, though, wouldn’t it?"

2. What ever happened to the Week of Oracle Bugs?

This was one bug disclosure project that never even got off the ground, and some researchers say that may have been for the best.

Cesar Cerrudo, the researcher who announced his plans for the Week of Oracle Database Bugs in December, scrapped the project before he posted a single database bug. Details of exactly what prompted Cerrudo, founder and CEO of Argeniss, to drop it are still sketchy.

Speculation about Oracle muscling Argeniss circulated in blogs and message boards, as did questions surrounding whether Cerrudo was bluffing that he had any bugs to disclose. Cerrudo says he had, and still has, enough bugs to fill a month -- and then some.

Cerrudo says Oracle never contacted him at all: "They just don't care."

He says he canceled the bug disclosure project because one of his clients "has some relation with Oracle" that could be "indirectly" hurt by the disclosure of the bugs. "This customer knew about our plans and everything was okay in the beginning, but then they changed their mind -- maybe some Oracle pressure? Who knows."

Oracle has made it clear it does not support researchers disclosing unpatched bugs, and says it prioritizes security flaws in order of severity when developing patches. "We are not aware of the specific reasons why Cesar Cerrudo did not launch the program," an Oracle spokesperson says.

Some researchers say it's definitely not in Oracle's, nor its customers', best interests to reveal zero-day bugs in the database software, anyway. Vulnerability problems are a Catch-22 with Oracle's software: "Oracle knows they have a problem. Do they have the resources to fix it? Frankly, they do not... Oracle's code is huge and it's evolved over a long period of time," Kaminsky says, and patching each bug is so time-consuming that it would leave users exposed.

"Do we need actual exploits [released]? Arguably, not."

Still, Cerrudo promises he hasn't given up on disclosing Oracle bugs in some format. "We will continue publishing things related with Oracle every time we can. Nothing has changed for us."

3. Website security: It's nearly impossible to not find XSS bugs in Websites these days.

By now, nearly every Webmaster and Website developer has heard of cross-site scripting (XSS), but how many have really fixed their XSS flaws?

Some 70 percent of Websites carry XSS flaws, which means somewhere around 100 million sites are waiting there like sitting ducks, according to estimates by Jeremiah Grossman, CTO of White Hat Security. And get this: It will be a big problem for the next decade, he predicts.

XSS basically is the new buffer overflow, and there isn't much you can do because it's so pervasive and such an ingrained problem that spans a lot of code.

"Cross-site scripting vulnerabilities are a difficult problem to get a handle on because of their incredible pervasiveness," Grossman says. "These problems are amplified by the change rate of application code, lack of understanding of common Web attacks, limited adoption of security-enhanced development frameworks, and inconsistent vulnerability assessment."

All you can really do today is fix any XSS flaws you (or as in our case here at Dark Reading, a friendly hacker) find and do it over and over. "But when you have to do it many, many times, that is the challenge," Grossman says.

IOActive's Kaminsky blames it on the fact that Web code, especially Web 2.0-based technology, has been cobbled together, and XSS bugs, Cross Site Request Forgery (CSRF), SQL injection, and XML injection are basically inherent in the design. "Software developers need to be aware of these attacks and start dealing with them."

He expects standard tools, practices, and filters to eventually address Website and Web application flaws like XSS, starting with EC sites, for instance. "My expectation is as we get better standardized and rock-solid defenses, we will see some of this stuff get into standardized scanning tools."

Still, it won't be the silver bullet. "I'm not saying these problems are going to go away. The Web is an evolving environment," Kaminsky says.

4. Why is iDefense Labs spending big bucks soliciting working zero-day exploits -- even more than for just proof of the bugs themselves?

iDefense Labs has been holding hacker contests for bugs for some time now. But the one that got the most attention was its latest one -- an $8,000 bounty for each winning vulnerability in Windows Vista and Internet Explorer 7 it selects, plus another $2,000 to $4,000 for an exploit to go with it. (See iDefense Offers Bounty for Vista, IE7 Bugs.)

If the bug-of-the-month project model is losing its luster, what's up with these bugs-for-bucks ploys? (See Bucks for Bugs.) And why isn't a proof-of-concept contest enough rather than providing incentive for working exploits that could fall into the wrong hands?

"It's hard to ascertain the reason that they would pay more for a 'reliable' exploit -- one that can be deployed in the real world -- as opposed to a convincing proof of concept," says Thomas Ptacek, a researcher with Matasano Security.

iDefense officials say they added the exploit award money because some researchers will include exploits with their entries while others don't, so they decided to even the playing field a bit by dropping the award from a flat $10,000 to $8,000 plus the exploit.

Other researchers say you've got to stand by your bug with an exploit to prove it's for real. "Exploits prove a problem is actually real," says Errata's Maynor. "In theory, [a bug] could be so tricky that it couldn't really be used in a reliable fashion."

"If you want to convince a developer to fix it, they've got to see code," Kaminsky says. That proves that the bug won't merely crash the system, but actually do some damage."

What does iDefense do with the bugs and exploits, anyway? "Our customers are looking for us to find new vulnerabilities so we can help their vendors fix them," says Rick Howard, director of intelligence for iDefense, which has large financial institutions and government agencies among its clientèle. "When we find a new vulnerability, we notify the vendor responsible and then tell the customer base about it. We don't go public with it until the vendor fixes it."

Paul Henry, vice president of security evangelism for Secure Computing, says iDefense is merely trying to make a name for itself in Vista vulnerability research.

"Now that everyone is waiting for the other shoe to drop with Vista [vulnerabilities], they are trying to buy their way into it." Whether it was for research purposes or publicity, he isn't sure, Henry says.

He says the exploit bounty was probably more of a publicity stunt. "But keep in mind that the reaction from the research community is that the offer is simply too low for serious consideration, as vulnerabilities are currently commanding anywhere in the range of $25,000 to $75,000."

Says Enderle, "It does make you wonder what criminals would pay for these things, though, huh?"

5. Did David Maynor actually create a working exploit for the wireless flaws he presented at Black Hat? And what did Apple know?

Apple dismissed it, and Maynor, the researcher who demonstrated a controversial wireless hack at Black Hat last summer maintains that he did indeed write a working exploit for the Apple wireless hack, as well as some non-Apple exploits. "The thing a lot of people don't understand is that there was more than one [exploit]."

And there's still plenty of confusion and debate over the Black Hat session, where Maynor, then with SecureWorks, and researcher Jon Ellch (a.k.a. Johnnycache), detailed wireless driver vulnerabilities. Maynor says for now he only can say this: "We released none of the code demonstrated by us at Black Hat, but that wasn't really our choice. We wanted to release code, but were not able to."

Adding to the confusion, Apple later patched the flaw, but did not credit Maynor with the find.

Some researchers are skeptical of Maynor's demo. "They never produced a flaw that involved the Mac built-in wireless card or Mac drivers -- all they produced was a vulnerability in a third-party card with a third-party driver," says Secure Computing's Henry. "If they had it, I would have to believe they would have produced it to regain some of the credibility that they may have lost through this ordeal."

Henry says because the researchers didn't make the exploit public, he doesn't fault Apple for denying the bug existed.

Ellch, meanwhile, has said he regrets not releasing an exploit, which he and Maynor did not do because it was unpatched. (See Johnny Cache: Man in Black (Hat).)

Some researchers argue that the incident demonstrated the sticky wicket of "responsible disclosure," or awaiting a vendor's blessing before going public on a bug.

"It works in the vendor's favor by making advisories more orderly, and by giving vendors a say. But on the other hand, it creates havoc when fragments of advisories are published without all the context behind them," says Matasano Security's Ptacek. "The biggest misstep made, on both sides, was getting the lawyers involved."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Recommended Reading: